Chinotto Spyware

A new fully-featured malware threat tracked as the Chinotto Spyware has been observed to be deployed in attacks against North Korean defectors, journalists covering North Korea-related news and other South Korean entities. The malware acts as a late-stage threat that is delivered to the already breached systems of the targeted victims. The main functionality of Chinotto involves establishing control over the compromised device, collecting various sensitive information from it, and exfiltrating the data to a Command-and-Control (C2, C&C) server.

The attack campaign is attributed to the state-sponsored Advanced Persistent Threat (APT) group APT37. The infosec community also has tracked this particular North Korea-related cybercrime group as ScarCruft, InkySquid, Reaper Group and Ricochet Chollima. This recent attack operation is highly-targeted. The threat actor used collected Facebook accounts to contact the chosen individuals and then send them a spear-phishing email.

The corrupted emails contained a lure document that is supposedly related to the national security of South Korea and the situation with their northern neighbor. Once the user tries to open the weaponized document, a hidden macro is triggered and the attack chain begins. Infosec researchers discovered and analyzed the APT37 operation. According to their findings, it used multiple malware threats that were deployed at different stages of the attack.

It should be noted that there is a variant of the Chinotto threat designed to infect Android devices specifically. The goal of the attackers remains the same - obtaining sensitive information and establishing spying routines on the mobile device. The Android version was spread via smishing attacks and prompted the targeted users to grant it a wide range of device permissions. If successful, the threat will be able to access the user's contact list, messages, call logs, make audio recordings and more. The spyware also would collect data from several targeted applications such as the Huawei Driver, KakaoTalk and the Tencent WeChat (Weixin).